actionpack 7.0.4 → 7.1.5.1

data/lib/action_dispatch/journey/formatter.rb

@@ -57,6 +57,9 @@ module ActionDispatch
       end
 
       def generate(name, options, path_parameters)
+        original_options = options.dup
+        path_params = options.delete(:path_params) || {}
+        options = path_params.merge(options)
         constraints = path_parameters.merge(options)
         missing_keys = nil
 
@@ -70,8 +73,11 @@ module ActionDispatch
 
           missing_keys = missing_keys(route, parameterized_parts)
           next if missing_keys && !missing_keys.empty?
-          params = options.dup.delete_if do |key, _|
-            parameterized_parts.key?(key) || route.defaults.key?(key)
+          params = options.delete_if do |key, _|
+            # top-level params' normal behavior of generating query_params
+            # should be preserved even if the same key is also a bind_param
+            parameterized_parts.key?(key) || route.defaults.key?(key) ||
+              (path_params.key?(key) && !original_options.key?(key))
           end
 
           defaults       = route.defaults

data/lib/action_dispatch/journey/path/pattern.rb

@@ -183,22 +183,22 @@ module ActionDispatch
           end
 
           def offsets
-            return @offsets if @offsets
-
-            @offsets = [0]
-
-            spec.find_all(&:symbol?).each do |node|
-              node = node.to_sym
-
-              if @requirements.key?(node)
-                re = /#{Regexp.union(@requirements[node])}|/
-                @offsets.push((re.match("").length - 1) + @offsets.last)
-              else
-                @offsets << @offsets.last
+            @offsets ||= begin
+              offsets = [0]
+
+              spec.find_all(&:symbol?).each do |node|
+                node = node.to_sym
+
+                if @requirements.key?(node)
+                  re = /#{Regexp.union(@requirements[node])}|/
+                  offsets.push((re.match("").length - 1) + offsets.last)
+                else
+                  offsets << offsets.last
+                end
               end
-            end
 
-            @offsets
+              offsets
+            end
           end
       end
     end

data/lib/action_dispatch/journey/route.rb

@@ -5,7 +5,7 @@ module ActionDispatch
   module Journey
     class Route
       attr_reader :app, :path, :defaults, :name, :precedence, :constraints,
-                  :internal, :scope_options, :ast
+                  :internal, :scope_options, :ast, :source_location
 
       alias :conditions :constraints
 
@@ -53,7 +53,7 @@ module ActionDispatch
       ##
       # +path+ is a path constraint.
       # +constraints+ is a hash of constraints to be applied to this route.
-      def initialize(name:, app: nil, path:, constraints: {}, required_defaults: [], defaults: {}, request_method_match: nil, precedence: 0, scope_options: {}, internal: false)
+      def initialize(name:, app: nil, path:, constraints: {}, required_defaults: [], defaults: {}, request_method_match: nil, precedence: 0, scope_options: {}, internal: false, source_location: nil)
         @name        = name
         @app         = app
         @path        = path
@@ -69,6 +69,7 @@ module ActionDispatch
         @path_formatter    = @path.build_formatter
         @scope_options     = scope_options
         @internal          = internal
+        @source_location   = source_location
 
         @ast = @path.ast.root
         @path.ast.route = self

data/lib/action_dispatch/journey/router.rb

@@ -29,7 +29,7 @@ module ActionDispatch
       end
 
       def serve(req)
-        find_routes(req).each do |match, parameters, route|
+        find_routes(req) do |match, parameters, route|
           set_params  = req.path_parameters
           path_info   = req.path_info
           script_name = req.script_name
@@ -46,24 +46,25 @@ module ActionDispatch
           }
 
           req.path_parameters = tmp_params
+          req.route_uri_pattern = route.path.spec.to_s
 
-          status, headers, body = route.app.serve(req)
+          _, headers, _ = response = route.app.serve(req)
 
-          if "pass" == headers["X-Cascade"]
+          if "pass" == headers[Constants::X_CASCADE]
             req.script_name     = script_name
             req.path_info       = path_info
             req.path_parameters = set_params
             next
           end
 
-          return [status, headers, body]
+          return response
         end
 
-        [404, { "X-Cascade" => "pass" }, ["Not Found"]]
+        [404, { Constants::X_CASCADE => "pass" }, ["Not Found"]]
       end
 
       def recognize(rails_req)
-        find_routes(rails_req).each do |match, parameters, route|
+        find_routes(rails_req) do |match, parameters, route|
           unless route.path.anchored
             rails_req.script_name = match.to_s
             rails_req.path_info   = match.post_match
@@ -120,14 +121,14 @@ module ActionDispatch
 
           routes.sort_by!(&:precedence)
 
-          routes.map! { |r|
+          routes.each { |r|
             match_data = r.path.match(path_info)
             path_parameters = {}
             match_data.names.each_with_index { |name, i|
               val = match_data[i + 1]
               path_parameters[name.to_sym] = Utils.unescape_uri(val) if val
             }
-            [match_data, path_parameters, r]
+            yield [match_data, path_parameters, r]
           }
         end
 

data/lib/action_dispatch/journey/routes.rb

@@ -9,8 +9,8 @@ module ActionDispatch
 
       attr_reader :routes, :custom_routes, :anchored_routes
 
-      def initialize
-        @routes             = []
+      def initialize(routes = [])
+        @routes             = routes
         @ast                = nil
         @anchored_routes    = []
         @custom_routes      = []

data/lib/action_dispatch/log_subscriber.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    def redirect(event)
+      payload = event.payload
+
+      info { "Redirected to #{payload[:location]}" }
+
+      info do
+        status = payload[:status]
+
+        message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
+        message << "\n\n" if defined?(Rails.env) && Rails.env.development?
+
+        message
+      end
+    end
+    subscribe_log_level :redirect, :info
+  end
+end
+
+ActionDispatch::LogSubscriber.attach_to :action_dispatch

data/lib/action_dispatch/middleware/actionable_exceptions.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "erb"
 require "uri"
 require "active_support/actionable_error"
 
@@ -30,15 +29,15 @@ module ActionDispatch
         uri = URI.parse location
 
         if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
-          body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+          body = ""
         else
-          return [400, { "Content-Type" => "text/plain" }, ["Invalid redirection URI"]]
+          return [400, { Rack::CONTENT_TYPE => "text/plain; charset=utf-8" }, ["Invalid redirection URI"]]
         end
 
         [302, {
-          "Content-Type" => "text/html; charset=#{Response.default_charset}",
-          "Content-Length" => body.bytesize.to_s,
-          "Location" => location,
+          Rack::CONTENT_TYPE => "text/html; charset=#{Response.default_charset}",
+          Rack::CONTENT_LENGTH => body.bytesize.to_s,
+          ActionDispatch::Constants::LOCATION => location,
         }, [body]]
       end
   end

data/lib/action_dispatch/middleware/assume_ssl.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  # = Action Dispatch \AssumeSSL
+  #
+  # When proxying through a load balancer that terminates SSL, the forwarded request will appear
+  # as though it's HTTP instead of HTTPS to the application. This makes redirects and cookie
+  # security target HTTP instead of HTTPS. This middleware makes the server assume that the
+  # proxy already terminated SSL, and that the request really is HTTPS.
+  class AssumeSSL
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      env["HTTPS"] = "on"
+      env["HTTP_X_FORWARDED_PORT"] = "443"
+      env["HTTP_X_FORWARDED_PROTO"] = "https"
+      env["rack.url_scheme"] = "https"
+
+      @app.call(env)
+    end
+  end
+end

data/lib/action_dispatch/middleware/callbacks.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \Callbacks
+  #
   # Provides callbacks to be executed before and after dispatching the request.
   class Callbacks
     include ActiveSupport::Callbacks

data/lib/action_dispatch/middleware/cookies.rb

@@ -70,7 +70,7 @@ module ActionDispatch
     end
 
     def cookies_same_site_protection
-      get_header(Cookies::COOKIES_SAME_SITE_PROTECTION) || Proc.new { }
+      get_header(Cookies::COOKIES_SAME_SITE_PROTECTION)&.call(self)
     end
 
     def cookies_digest
@@ -92,10 +92,10 @@ module ActionDispatch
     include RequestCookieMethods
   end
 
-  # Read and write data to cookies through ActionController::Base#cookies.
+  # Read and write data to cookies through ActionController::Cookies#cookies.
   #
   # When reading cookie data, the data is read from the HTTP request header, Cookie.
-  # When writing cookie data, the data is sent out in the HTTP response header, Set-Cookie.
+  # When writing cookie data, the data is sent out in the HTTP response header, +Set-Cookie+.
   #
   # Examples of writing:
   #
@@ -160,13 +160,18 @@ module ActionDispatch
   #   to <tt>:all</tt>. To support multiple domains, provide an array, and
   #   the first domain matching <tt>request.host</tt> will be used. Make
   #   sure to specify the <tt>:domain</tt> option with <tt>:all</tt> or
-  #   <tt>Array</tt> again when deleting cookies.
+  #   <tt>Array</tt> again when deleting cookies. For more flexibility you
+  #   can set the domain on a per-request basis by specifying <tt>:domain</tt>
+  #   with a proc.
   #
   #     domain: nil  # Does not set cookie domain. (default)
   #     domain: :all # Allow the cookie for the top most level
   #                  # domain and subdomains.
   #     domain: %w(.example.com .example.org) # Allow the cookie
   #                                           # for concrete domain names.
+  #     domain: proc { Tenant.current.cookie_domain } # Set cookie domain dynamically
+  #     domain: proc { |req| ".sub.#{req.host}" }     # Set cookie domain dynamically based on request
+  #
   #
   # * <tt>:tld_length</tt> - When using <tt>:domain => :all</tt>, this option can be used to explicitly
   #   set the TLD length when using a short (<= 3 character) domain that is being interpreted as part of a TLD.
@@ -178,7 +183,8 @@ module ActionDispatch
   #   only HTTP. Defaults to +false+.
   # * <tt>:same_site</tt> - The value of the +SameSite+ cookie attribute, which
   #   determines how this cookie should be restricted in cross-site contexts.
-  #   Possible values are +:none+, +:lax+, and +:strict+. Defaults to +:lax+.
+  #   Possible values are +nil+, +:none+, +:lax+, and +:strict+. Defaults to
+  #   +:lax+.
   class Cookies
     HTTP_HEADER   = "Set-Cookie"
     GENERATOR_KEY = "action_dispatch.key_generator"
@@ -290,20 +296,6 @@ module ActionDispatch
     class CookieJar # :nodoc:
       include Enumerable, ChainedCookieJars
 
-      # This regular expression is used to split the levels of a domain.
-      # The top level domain can be any string without a period or
-      # **.**, ***.** style TLDs like co.uk or com.au
-      #
-      # www.example.co.uk gives:
-      # $& => example.co.uk
-      #
-      # example.com gives:
-      # $& => example.com
-      #
-      # lots.of.subdomains.example.local gives:
-      # $& => example.local
-      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
-
       def self.build(req, cookies)
         jar = new(req)
         jar.update(cookies)
@@ -390,6 +382,8 @@ module ActionDispatch
       # Removes the cookie on the client machine by setting the value to an empty string
       # and the expiration date in the past. Like <tt>[]=</tt>, you can pass in
       # an options hash to delete cookies with extra data such as a <tt>:path</tt>.
+      #
+      # Returns the value of the cookie, or +nil+ if the cookie does not exist.
       def delete(name, options = {})
         return unless @cookies.has_key? name.to_s
 
@@ -415,9 +409,15 @@ module ActionDispatch
         @cookies.each_key { |k| delete(k, options) }
       end
 
-      def write(headers)
-        if header = make_set_cookie_header(headers[HTTP_HEADER])
-          headers[HTTP_HEADER] = header
+      def write(response)
+        @set_cookies.each do |name, value|
+          if write_cookie?(value)
+            response.set_cookie(name, value)
+          end
+        end
+
+        @delete_cookies.each do |name, value|
+          response.delete_cookie(name, value)
         end
       end
 
@@ -428,19 +428,6 @@ module ActionDispatch
           ::Rack::Utils.escape(string)
         end
 
-        def make_set_cookie_header(header)
-          header = @set_cookies.inject(header) { |m, (k, v)|
-            if write_cookie?(v)
-              ::Rack::Utils.add_cookie_to_header(m, k, v)
-            else
-              m
-            end
-          }
-          @delete_cookies.inject(header) { |m, (k, v)|
-            ::Rack::Utils.add_remove_cookie_to_header(m, k, v)
-          }
-        end
-
         def write_cookie?(cookie)
           request.ssl? || !cookie[:secure] || always_write_cookie || request.host.end_with?(".onion")
         end
@@ -452,17 +439,40 @@ module ActionDispatch
 
           options[:path]      ||= "/"
 
-          cookies_same_site_protection = request.cookies_same_site_protection
-          options[:same_site] ||= cookies_same_site_protection.call(request)
+          unless options.key?(:same_site)
+            options[:same_site] = request.cookies_same_site_protection
+          end
 
           if options[:domain] == :all || options[:domain] == "all"
-            # If there is a provided tld length then we use it otherwise default domain regexp.
-            domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
+            cookie_domain = ""
+            dot_splitted_host = request.host.split(".", -1)
+
+            # Case where request.host is not an IP address or it's an invalid domain
+            # (ip confirms to the domain structure we expect so we explicitly check for ip)
+            if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
+              options[:domain] = nil
+              return
+            end
 
-            # If host is not ip and matches domain regexp.
-            # (ip confirms to domain regexp so we explicitly check for ip)
-            options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
-              ".#{$&}"
+            # If there is a provided tld length then we use it otherwise default domain.
+            if options[:tld_length].present?
+              # Case where the tld_length provided is valid
+              if dot_splitted_host.length >= options[:tld_length]
+                cookie_domain = dot_splitted_host.last(options[:tld_length]).join(".")
+              end
+            # Case where tld_length is not provided
+            else
+              # Regular TLDs
+              if !(/\.[^.]{2,3}\.[^.]{2}\z/.match?(request.host))
+                cookie_domain = dot_splitted_host.last(2).join(".")
+              # **.**, ***.** style TLDs like co.uk and com.au
+              else
+                cookie_domain = dot_splitted_host.last(3).join(".")
+              end
+            end
+
+            options[:domain] = if cookie_domain.present?
+              cookie_domain
             end
           elsif options[:domain].is_a? Array
             # If host matches one of the supplied domains.
@@ -470,6 +480,8 @@ module ActionDispatch
               domain = domain.delete_prefix(".")
               request.host == domain || request.host.end_with?(".#{domain}")
             end
+          elsif options[:domain].respond_to?(:call)
+            options[:domain] = options[:domain].call(request)
           end
         end
     end
@@ -533,75 +545,57 @@ module ActionDispatch
         end
     end
 
-    class MarshalWithJsonFallback # :nodoc:
-      def self.load(value)
-        Marshal.load(value)
-      rescue TypeError => e
-        ActiveSupport::JSON.decode(value) rescue raise e
-      end
-
-      def self.dump(value)
-        Marshal.dump(value)
-      end
-    end
-
-    class JsonSerializer # :nodoc:
-      def self.load(value)
-        ActiveSupport::JSON.decode(value)
-      end
-
-      def self.dump(value)
-        ActiveSupport::JSON.encode(value)
-      end
-    end
-
     module SerializedCookieJars # :nodoc:
-      MARSHAL_SIGNATURE = "\x04\x08"
       SERIALIZER = ActiveSupport::MessageEncryptor::NullSerializer
 
       protected
-        def needs_migration?(value)
-          request.cookies_serializer == :hybrid && value.start_with?(MARSHAL_SIGNATURE)
+        def digest
+          request.cookies_digest || "SHA1"
         end
 
-        def serialize(value)
-          serializer.dump(value)
+      private
+        def serializer
+          @serializer ||=
+            case request.cookies_serializer
+            when nil
+              ActiveSupport::Messages::SerializerWithFallback[:marshal]
+            when :hybrid
+              ActiveSupport::Messages::SerializerWithFallback[:json_allow_marshal]
+            when Symbol
+              ActiveSupport::Messages::SerializerWithFallback[request.cookies_serializer]
+            else
+              request.cookies_serializer
+            end
         end
 
-        def deserialize(name)
-          rotate = false
-          value  = yield -> { rotate = true }
+        def reserialize?(dumped)
+          serializer.is_a?(ActiveSupport::Messages::SerializerWithFallback) &&
+            serializer != ActiveSupport::Messages::SerializerWithFallback[:marshal] &&
+            !serializer.dumped?(dumped)
+        end
 
-          if value
-            case
-            when needs_migration?(value)
-              Marshal.load(value).tap do |v|
-                self[name] = { value: v }
-              end
-            when rotate
-              serializer.load(value).tap do |v|
-                self[name] = { value: v }
-              end
-            else
-              serializer.load(value)
+        def parse(name, dumped, force_reserialize: false, **)
+          if dumped
+            begin
+              value = serializer.load(dumped)
+            rescue StandardError
+              return
             end
+
+            self[name] = { value: value } if force_reserialize || reserialize?(dumped)
+
+            value
           end
         end
 
-        def serializer
-          serializer = request.cookies_serializer || :marshal
-          case serializer
-          when :marshal
-            MarshalWithJsonFallback
-          when :json, :hybrid
-            JsonSerializer
-          else
-            serializer
-          end
+        def commit(name, options)
+          options[:value] = serializer.dump(options[:value])
         end
 
-        def digest
-          request.cookies_digest || "SHA1"
+        def check_for_overflow!(name, options)
+          if options[:value].bytesize > MAX_COOKIE_SIZE
+            raise CookieOverflow, "#{name} cookie overflowed with size #{options[:value].bytesize} bytes"
+          end
         end
     end
 
@@ -622,15 +616,15 @@ module ActionDispatch
 
       private
         def parse(name, signed_message, purpose: nil)
-          deserialize(name) do |rotate|
-            @verifier.verified(signed_message, on_rotation: rotate, purpose: purpose)
-          end
+          rotated = false
+          data = @verifier.verified(signed_message, purpose: purpose, on_rotation: -> { rotated = true })
+          super(name, data, force_reserialize: rotated)
         end
 
         def commit(name, options)
-          options[:value] = @verifier.generate(serialize(options[:value]), **cookie_metadata(name, options))
-
-          raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
+          super
+          options[:value] = @verifier.generate(options[:value], **cookie_metadata(name, options))
+          check_for_overflow!(name, options)
         end
     end
 
@@ -672,17 +666,17 @@ module ActionDispatch
 
       private
         def parse(name, encrypted_message, purpose: nil)
-          deserialize(name) do |rotate|
-            @encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate, purpose: purpose)
-          end
+          rotated = false
+          data = @encryptor.decrypt_and_verify(encrypted_message, purpose: purpose, on_rotation: -> { rotated = true })
+          super(name, data, force_reserialize: rotated)
         rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature
           nil
         end
 
         def commit(name, options)
-          options[:value] = @encryptor.encrypt_and_sign(serialize(options[:value]), **cookie_metadata(name, options))
-
-          raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
+          super
+          options[:value] = @encryptor.encrypt_and_sign(options[:value], **cookie_metadata(name, options))
+          check_for_overflow!(name, options)
         end
     end
 
@@ -691,21 +685,18 @@ module ActionDispatch
     end
 
     def call(env)
-      request = ActionDispatch::Request.new env
-
-      status, headers, body = @app.call(env)
+      request = ActionDispatch::Request.new(env)
+      response = @app.call(env)
 
       if request.have_cookie_jar?
         cookie_jar = request.cookie_jar
         unless cookie_jar.committed?
-          cookie_jar.write(headers)
-          if headers[HTTP_HEADER].respond_to?(:join)
-            headers[HTTP_HEADER] = headers[HTTP_HEADER].join("\n")
-          end
+          response = Rack::Response[*response]
+          cookie_jar.write(response)
         end
       end
 
-      [status, headers, body]
+      response.to_a
     end
   end
 end